Private Sector Should Help Shape Cybersecurity Laws

One of the most unexpected findings of our recent survey on attitudes toward negotiating with cybercriminals was that 44% of security pros said they would give government investigators complete access to their networks following cybercrime extortion attempts.

Surprising? Yes.

But it makes some sense. After all, you’d want to get to the bottom of what caused a data breach. Yet, when asked if the government should establish policies and offer guidance to companies who suffer extortion attempts, 38% said “No.”

Does that strike you as a paradox?

There is greater willingness to open up networks to government officials than to accept policies and guidance from the government. But when you think about it, once a breach has occurred, wouldn’t it be preferable to follow established policies than to grant the government full access to your network without any sort of guideline?

Many security pros favor government intervention and assistance when it comes to combating cyber-extortion. 10% say the government should make it a crime for negotiating with cybercriminals.

Perhaps security pros fear the policies would be too burdensome, but what if you had a say in those policies? As it happens, the Obama administration recently introduced a proposal addressing cybersecurity incident disclosure and information sharing. So the timing is good for speaking up about cybersecurity regulations.

The Cybersecurity Information Sharing Act (CISA) proposed by the administration would standardize breach disclosure through a federal statute. Currently 46 states, the District of Columbia and several territories have their own disclosure requirements, each different from the next, creating a challenge for companies operating in multiple jurisdictions.

Beyond disclosure uniformity, CISA would encourage the private sector to share cybersecurity information and threat intelligence with the government, specifically the Department of Homeland Security, as well as facilitate collaboration and sharing between private companies.

Not surprisingly, this has raised privacy concerns. Critics warn CISA could be used for surveillance, although the administration says unnecessary personal information would be removed from any shared data.

What CISA ultimately looks like – should Congress ever approve it – is anyone’s guess. But the idea of standardizing cybersecurity disclosure policies and collaboration between the private sector and government has some merit. And IT security pros and other private interests might want to take an active part in a conversation about the proposal.

This could be your only chance to actually have a say in how the regulations take shape. And ultimately, having well-defined and well-thought-out disclosure procedures in place is probably better than letting government investigators indiscriminately sift through your networks after it has been breached.